17.4.5.6. Scope configuration for Loginapp JSP

IAM as OAuth 2.0 AS with local consent

  • OAuth 2.0 Scopes are mapped to Airlock IAM user roles
  • For each granted scope, the authenticated user in IAM must have a corresponding role.
  • If the user has no roles or the roles are not whitelisted to be used as scopes, the confirmation page will be empty and therefore suppressed.
  • Consequently, if an OAuth 2.0 Client requests only scopes that cannot be granted by Airlock IAM, an empty scope set may result. If Airlock IAM configuration prohibits empty scope sets, authorization will fail in this case.

Local consent is configured as follows:

  • Client-centric AS: MAIN SETTINGS (or Loginapp) >> Application Settings >> affected target application >> OAuth or OIDC Identity Propagator >> Consent: use OAuth 2.0 Local Consent.
  • AS-centric AS: Loginapp >> OAuth 2.0/OIDC Authorization Servers >> affected AS >> OAuth 2.0 Grants/OIDC Flows >> OAuth 2.0 Authorization Code Grant >> Consent: use OAuth 2.0 Local Consent

IAM as OAuth 2.0 AS with remote consent

  • When using the remote consent concept (see 13.3.1.3.1. Remote consent applications with OAuth), Airlock IAM does not know about the scopes granted by the remote consent application.
  • Airlock IAM accepts and uses the scopes as reported by the remote consent application.

Remote consent is configured here:

  • Client-centric AS: MAIN SETTINGS (or Loginapp) >> Application Settings >> affected target application >> OAuth or OIDC Identity Propagator >> Consent: use OAuth 2.0 Remote Consent
  • AS-centric AS: Loginapp >> OAuth 2.0/OIDC Authorization Servers >> affected AS >> OAuth 2.0 Grants/OIDC Flows >> OAuth 2.0 Authorization Code Grant >> Consent: use OAuth 2.0 Remote Consent